Thanks all -- I cleaned up the ones I could find. Please add to this thread if I missed any. The spambots in the Pico Dragon thread were a particularly nasty bunch, with ip addresses all over the place :(

The next BBS update includes spam flagging and improved spammer prevention at sign-up : play a small PICO-8 game to prove that you're not only human, but also human with a minute to spare.

I know having people who moderate other people's posts can be tricky. Too many interpersonal issues, judgment calls being made badly, stuff like that.

I assume that's why you responded to requests for moderators with a yet-to-arrive flagging system. I don't think that's enough, though. You seem to be a busy guy, and I suspect you won't be able to review flagged posts frequently enough.

You don't need to make anyone a full moderator. No one needs a title or a badge. Just quietly pick a few of us who you think have the best interests of the community at heart, and give them just one single ability: to move a post to another hidden "quarantine" board. Then you can periodically check quarantined posts to be sure we did our job right.

I'm not sure if I'm someone you'd trust that way, but if so, I'm happy to volunteer a little of my time and energy to doing something like that for the community. I can think of a few other people, but I won't presume to volunteer their time.

@Felice
Heh, that was me thumb-typing to delete spam, as I'm traveling right now and don't have my usual tools. But! I did add some admin functionality:

@MBoffin and @Felice -- check out a user's posts page for a 'mark as spam' button. It's a temporary solution and a little dangerous, but reverseable if you mess up. And thanks so much for the rigorous spam marking so far.

If any other regular forum members are keen to hunt spam in this way until I get a better system in place, please reply here and I'll add you.

I'm also working on improving sign-up screening and at-post tripwires, so hopefully there won't be much spam to catch in the future. The lexaloffle BBS has the defensive advantage of being completely hand-rolled, but it seems there are at least a couple of spammers out there monitoring it and manually working around changes I make to the way posts work. I don't think it will be too hard to add enough friction to that process to shake them off -- it just hasn't been a high priority until now.

The BBS signups will soon require a google captcha, but later on I'd also like to add a weaker but more entertaining layer:

Awesome. Thanks, zep! That should help quite a bit until the other changes eventually go through. It's never any fun having to play whack-a-mole with spammers and their wily ways, but having a better captcha will certainly help. (And I love the captcha cart idea.) :D

Another user, ellascott, also kinda looks like a spammer, because lots of posts all of a sudden, and all brief with links at the end. But on closer inspection, I think she just appears to be linking to her own games.

So right off the bat, that was a good reminder to me: don't jump to conclusions.

The "aweosem" post over is present on other threads. Looks like they're copying posts from random threads.

@zep A trick that works rather well to tell apart spambots and humans, is just adding a field that is NOT of type=hidden, but a real input with appealing attributes, like <input type="text" class="important" name="email" placeholder="Enter e-mail here">. Then hide it to human eyes with a display:none, or placed behind another element, or with negative position, etc. The most complicated, the better, so that a bot can't easily tell if the input is used or not (a display:none straight on the input is easy to catch).
Then your form validation checks if this input is empty as intended. If it's not, it's been filled by a bot.

Maybe checking with JS whether the submit button has really been pressed could work too.

That is: first, solutions that are transparent for real users. Then, using a captcha.

A lot of these aren't bots. They actually respond to the specific subject matter intelligently and on-point, not just regurgitating previous text with markov chains or saying vague things that could apply to any subject, and then tack on a link, probably to malware. Pretty sure there's an actual human creating the account, so anti-bot tactics won't help.

My theory is they're putting in this effort in hopes of getting a keylogger onto some dev's machine, where the machine has remote privs on some big corpnet, e.g. MS or google, so they can steal credentials, trade secrets, etc. I think it's targeted specifically at developer forums. I've found the same links on similar forums.

Been getting a lot of spam on my site as well via the contact form. Most likely because the bots have invaded this forum, since the site isn't posted anywhere else online (that I know of), so they're following links and trickling down as well into sub-communities. I get probably 8-10 emails a day through the contact form from bots offering web development and SEO services (I work a full-time job as a web developer, morons) and Viagra (at 36 I would hope it's not quite time for that yet). Going to implement reCAPTCHA on there as well. Fortunately it's pretty easy to do once you know how ( @zep if you need help lemme know, I've already written a PHP class for it!)